Your current environment

• vllm Docker image built from main repository
• starlette installed via requirements/test.txt
• starlette version: 0.46.2 (affected by CVE-2025-62727)
• fastapi version: 0.110.0

See requirements/test.txt for versions.

starlette==0.46.2
fastapi==0.110.0

🐛 Describe the bug

The project currently pins starlette==0.46.2 in requirements/test.txt and possibly other requirements files. This version is affected by CVE-2025-62727, a critical security vulnerability. CVE details: https://github.com/advisories/GHSA-6xx7-wv9q-m772

Fix:
Starlette patched the vulnerability in v0.49.1. The project should upgrade the dependency to starlette>=0.49.1 in all requirements, and the Docker image should be rebuilt to use the safe version. PR incoming.

Minimal Reproduction:
Check the requirements file and build the Docker image as currently instructed for vllm. Inspect installed starlette version after build:

python -c "import starlette; print(starlette.__version__)"

Current result: prints 0.46.2 (vulnerable)
Expected result: prints >=0.49.1 (safe)

**I am preparing a PR to update requirements and Docker image as described. Please advise if additional places beyond requirements/test.txt should be patched.

Before submitting a new issue...

• Make sure you already searched for relevant issues, and asked the chatbot living at the bottom right corner of the documentation page, which can answer lots of frequently asked questions.